Can Poor Data Management Compromise HIPAA Privacy and Security?

By Paul James

Hospitals and Health Systems collect patient data from a variety of different departments across the organization—including billing, ER, medical records, and more. Over time, as patients change addresses and their medical conditions and histories evolve, this data gets increasingly “messier.” It’s not uncommon for hospitals to have duplicate patient data, fragmented or missing information, and other data quality issues, when there is no enterprise master patient index (EMPI) solution to help unify this information and bring it together into one 360-degree patient view.

Each department within a hospital has different needs and purposes, different data requirements, and different systems in which they enter the data, making a unified digital picture for each patient difficult to generate. Poor data quality—messy data—is a headache in any organization, in any industry, to be sure. But what amounts to an internal inconvenience can easily turn into a legal violation of patients’ privacy rights when the industry you’re in is healthcare.

According to the US Department of Health and Human Services, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), “creates national standards to protect individuals’ medical records and other personal health information. It gives patients more control over their health information; it sets boundaries on the use and release of health records; it establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information; it holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights; and it strikes a balance when public responsibility supports disclosure of some forms of data—for example, to protect public health.”

So, while an EMPI alone cannot and does not serve as a HIPAA compliance solution for hospitals and health systems, there are several ways that it can mitigate the risk of ending up in violation:

Billing—Poor data quality can mean that all the information needed to bill a patient or provider is either inaccurate or unavailable. Addresses can be particularly difficult to keep up-to-date without an EMPI, as often, patients may change addresses and not notify their doctor or hospital until the next time they come in for medical care, which can be months or even years after their last visit. This can result in medical bills, which may contain sensitive information about what tests or procedures were performed, ending up in the hands of the wrong patient or provider, compromising patient privacy.

Medical records—When a patient signs a release to receive their own medical records (x-ray films or lipid panel result printouts, for example), a lot can go wrong. Confusing Kelly Smith with Kelley Smith in the system, having two people named Scott Jones, or mistaking Oak Road for Oak Avenue can easily result in releasing the wrong records to the wrong patient. These are human errors, to be sure, but at the heart of them is a lack of data quality controls.

Marketing—Consider direct mailers sent to patient homes. One risk, as we’ve discussed in other areas, is inaccurate address information. But beyond that, if a hospital wants to send out a notice about new, advanced cancer diagnostics equipment they’ve received, for example, and they target households where patients have used their oncology services before, potential data errors once again put patient privacy at risk, allowing for the possibility of confidential health information to be seen by the wrong people.

An article from SecureNetMD, titled, “The 10 Most Common HIPAA Violations and How They Arise,” lists at least three potential violations in which poor data quality could be the root of the issue: “Releasing information to the wrong people, sending out the wrong patient’s information, and unprotected electronic data storage.” Of course, the greatest weakness in all these processes is human error. And while an EMPI alone cannot serve as a HIPAA compliance solution, it is an important tool for greatly reducing the impact of human error by introducing the ability to create a clean, 360-degree view of each patient. When it comes to patient privacy, why leave anything up to chance?

Find out how Maury Regional Medical Center was able to manage data across five different EHR systems with an EMPI, delivering major improvements to data reliability and patient and provider engagement.